- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sat, 8 Nov 2014 14:39:55 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, eisinger@google.com
> But such capability URLs that persist in the address bar are also > likely to be accidentally leaked by users when taking screenshots / > screencasting, end up in browsing histories, and may end up in crash > logs submitted to vendors (Mozilla, for example, collects crash URLs). Oops, I didn't finish this tought: my point was that if they are sensitive enough to need protection from their own origin, perhaps it'd be best not to keep them in long-lived URLs because of these other risks? /mz
Received on Saturday, 8 November 2014 22:40:45 UTC